Forbidden (service account and server are mapped to delegate HTTP service on the same server):

HTTP/Server1 DOMAIN\ServiceAccount1HTTP/Server1 DOMAIN\Server1

Allowed (only server account is allowed to delegate HTTP service on that particular server):

HTTP/Server1 DOMAIN\Server1

Tools that you can use to troubleshoot SPNs issues are:

CSVDE + Excel: You can use these two to find out if you have duplicate SPNs.

For example, run CSVDE -f results.csv -r "(objectClass=User)" -l "sAMAccountName,servicePrincipalName" from Command Prompt and then open results.csv using Excel and do your data filtering there to find out the duplicates. After you found them, you can remove the offending SPN using SETSPN.

KERBTRAY: You can use this tool to remove cached Kerberos tickets on the fly. Waiting for the ticket to expire by itself is a pain in the butt.